SSL built-in actions and user-defined actions

Unless you need only the built-in actions in your policies, you have to create the actions before creating the policies. Then, you can specify the actions when you create the policies. The built-in actions are of two types, control actions and data actions. You use control actions in control policies, and data actions in data policies.

The built-in control actions are:

• DOCLIENTAUTH—Perform client certificate authentication. (Not supported for TLS1.3)
• NOCLIENTAUTH—Do not perform client certificate authentication. (Not supported for TLS1.3)

The built-in data actions are:

• RESET—Close the connection by sending an RST packet to the client.
• 从客户端DROP-Drop所有数据包。连接ion remains open until the client closes it.
• NOOP—Forward the packet without performing any operation on it.

Note:Any dependent actions to client authentication, such as clientCertVerification and ssllogProfile, are not supported with the TLS 1.3 protocol.

You can create user-defined data actions. If you enable client authentication, you can create an SSL action to insert client-certificate data into the request header before forwarding the request to the web server.

If a policy evaluation results in an undefined state, an UNDEF action is performed. For either a data policy or a control policy, you can specify RESET, DROP, or NOOP as the UNDEF action. For a control policy, you also have the option of specifying DOCLIENTAUTH or NOCLIENTAUTH.

Examples of built-in actions in a policy

In the following example, if the client sends a cipher other than an EXPORT category cipher, the Citrix ADC appliance requests client authentication. The client has to provide a valid certificate for a successful transaction.

add ssl policy pol1 -rule CLIENT.SSL.CIPHER_EXPORTABLE.NOT -reqAction DOCLIENTAUTH 

The following examples assume that client authentication is enabled.

If the version in the certificate provided by the user matches the version in the policy, no action is taken and the packet is forwarded:

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction NOOP 

If the version in the certificate provided by the user matches the version in the policy, the connection is dropped:

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction DROP 

If the version in the certificate provided by the user matches the version in the policy, the connection is reset:

add ssl policy pol1 -rule CLIENT.SSL.CLIENT_CERT.VERSION.EQ(2) -reqAction RESET 

Client certificate verification with policy based client authentication

You can set client certificate verification to mandatory or option when you have configured policy based client authentication. Default is mandatory.

Set client certificate verification to optional using the CLI

At the command prompt, type:

add ssl action  ((-clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH ) [-clientCertVerification ( Mandatory | Optional )] 

Example:

add ssl action sslact -clientauth DOCLIENTAUTH -clientcertverification OPTIONAL 

Set client certificate verification to optional using the GUI

1. Navigate toTraffic Management > SSL > Policies.

2. On theSSL Actionstab, clickAdd.

3. Specify a name and in theClient Certificate Verificationlist, selectOptional.

User-defined SSL actions

In addition to built-in actions, you can also configure other SSL actions depending on your deployment. These actions are called user-defined actions.

Configure a user-defined SSL action by using the CLI

At the command prompt, type the following commands to configure an action and verify the configuration:

add SSL action  -clientAuth(DOCLIENTAUTH | NOCLIENTAUTH) -clientCert (ENABLED | DISABLED) certHeader  -clientHeader  -clientCertSerialNumber (ENABLED | DISABLED) -certSerialHeader  -clientCertSubject (ENABLED | DISABLED) -certSubjectHeader  -clientCertHash (ENABLED | DISABLED) -certHashHeader  -clientCertIssuer (ENABLED | DISABLED) -certIssuerHeader  -sessionID (ENABLED | DISABLED) -sessionIDheader  -cipher (ENABLED | DISABLED) -cipherHeader  -clientCertNotBefore (ENABLED | DISABLED) -certNotBeforeHeader  -clientCertNotAfter (ENABLED | DISABLED) -certNotAfterHeader  -OWASupport (ENABLED | DISABLED) 

show ssl action [] 

Example:

add ssl action Action-SSL-ClientCert -clientCert ENABLED -certHeader "X-Client-Cert" 

show ssl action Action-SSL-ClientCert 1) Name: Action-SSL-ClientCert Data Insertion Action: Cert Header: ENABLED Cert Tag: X-Client-Cert Done 

Configure a user-defined SSL action by using the GUI

Navigate toTraffic Management > SSL > Policiesand, on theActionstab, clickAdd.

配置SSL向前行动client traffic to another virtual server

Admins can configure an SSL action to forward the client traffic received on an SSL virtual server to another virtual server to avoid SSL offloading. Or for terminating the connection on the ADC appliance. This virtual server can be of the type: SSL, TCP, or SSL_BRIDGE. For example, admins can choose to forward the request to another virtual server for further action instead of terminating the connection if any of the following cases:

• The appliance does not have a certificate.
• The appliance does not support a specific cipher.

实现上面,一个新的“CLIENTHELL绑定点O_REQ’ is added to evaluate client traffic when a client hello is received. If the policy bound to the virtual server receiving client traffic evaluates to true after parsing the client hello, the traffic is forwarded to another virtual server. If this virtual server is of type SSL, it performs the handshake. If this virtual server is of type TCP or SSL_BRIDGE, the back-end server performs the handshake.

In release 12.1-49.x, only the forward and reset actions are supported for the CLIENTHELLO_REQ bind point. The following expression prefixes are available:

• CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE
• CLIENT.SSL.CLIENT_HELLO.CLIENT_VERSION
• CLIENT.SSL.CLIENT_HELLO.IS_RENEGOTIATE
• CLIENT.SSL.CLIENT_HELLO.IS_REUSE
• CLIENT.SSL.CLIENT_HELLO.IS_SCSV
• CLIENT.SSL.CLIENT_HELLO.IS_SESSION_TICKET
• CLIENT.SSL.CLIENT_HELLO.LENGTH
• CLIENT.SSL.CLIENT_HELLO.SNI
• CLIENT.SSL.CLIENT_HELLO.ALPN.HAS_NEXTPROTOCOL (from release 13.0 build 61.x)

For a description of these prefixes, seeAdvanced policy expressions: parsing SSL.

A parameterforwardis added to theadd SSL actioncommand and a new bind pointCLIENTHELLO_REQis added to thebind ssl vservercommand.

Configuration using the CLI

At the command prompt, type:

add ssl action  -forward  add ssl policy  -rule  -action  bind ssl vserver  -policyName  -priority  -type  

EXAMPLE:

add ssl action act1 -forward v2 add ssl policy pol1 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1 bind ssl vserver v1 -policyName pol1 -priority 1 -type CLIENTHELLO_REQ 

Configuration using the GUI

Navigate toTraffic Management > SSL > Policies.

Create SSL action:

1. InSSL Actions, clickAdd.
2. InCreate SSL Action, specify a name for the action.
3. InForward Action Virtual Server, select an existing virtual server or add a new virtual server to forward the traffic to.
4. Optionally, set other parameters.
5. ClickCreate.

Create SSL policy:

1. InSSL Policies, clickAdd.
2. InCreate SSL Policy, specify a name for the policy.
3. InAction, select the action that you created earlier.
4. InExpression Editor, enter the rule to evaluate.
5. ClickCreate.

Create or add a virtual server and bind policy:

1. Navigate toTraffic Management>Load Balancing>Virtual Servers.
2. Add or select a virtual server.
3. InAdvanced Settings, clickSSL Policies.
4. Click in the SSL Policy section.
5. InSelect Policy, select the policy that you created earlier.
6. InPolicy Binding, specify a priority for the policy.
7. InType, selectCLIENTHELLO_REQ.
8. ClickBind.
9. ClickDone.

For the end-to-end configuration for the most popular use cases, see the following topics:

• Configure SSL action to forward client traffic if the appliance does not have a domain specific (SNI) certificate.

• 配置SSL向前行动client traffic based on the protocol in the ALPN extension of the client hello message.

• Configure SSL action to forward client traffic if a cipher is not supported on the ADC.

SSL action to selectively pick CAs based on SNI for client authentication

You can send only the list of CAs based on SNI (domain) in the client certificate request rather than the list of all the CAs bound to an SSL virtual server. For example, when a client hello is received, only the CA certificates based on the SSL policy expression (for example, SNI) are sent. To send a specific set of certificates, you must create a CA certificates group. Then, bind this group to an SSL action, and bind the action to an SSL policy. If the policy bound to the virtual server receiving client traffic evaluates to true after parsing the client hello, only a specific CA certificates group is sent in the client request certificate.

Earlier, you had to bind CA certificates to an SSL virtual server. With this enhancement, you can simply add CA certificate groups and associate them to an SSL action.

Note:Enable client authentication and SNI on the SSL virtual server. Bind the correct SNI certificates to the virtual server.

执行以下步骤:

1. Add a CA certificate group.

2. Add certificate-key pairs.

3. Bind the certificate-key pairs to this group.

4. Add an SSL action.

5. Add an SSL policy. Specify the action in the policy.

6. Bind the policy to an SSL virtual server. Specify the bind point as CLIENTHELLO_REQ.

Configuration using the CLI

At the command prompt, type the following commands in a sequence:

add ssl caCertGroup  add ssl certkey  -cert  -key  bind ssl caCertGroup   add ssl action  -caCertGrpName  add ssl policy  -rule  -action  bind ssl vserver  -policyName  -priority  -type CLIENTHELLO_REQ 

Example:

add ssl cacertGroup ca_cert_group add ssl certkey ca_certkey1 -cert cacert1 -key cakey1 add ssl certkey ca_certkey2 -cert cacert2 -key cakey2 add ssl certkey snicert -cert snicert -key snikey bind ssl cacertGroup ca_cert_group ca_certkey1 bind ssl caCertGroup ca_cert_group ca_certkey2 

sh ssl caCertGroup ca_cert_group CA GROUP NAME: ca_cert_group ACTIONS REFERRING: 1 1) CertKey Name: ca_certkey1 CA Certificate CRLCheck: Optional CA_Name Sent 2) CertKey Name: ca_certkey2 CA Certificate CRLCheck: Optional CA_Name Sent 

add ssl action pick_ca_group -cacertGrpName ca_cert_group 

sh ssl action pick_ca_group 1) Name: pick_ca_group Type: Data Insertion PickCaCertGroup: ca_cert_group Hits: 0 Undef Hits: 0 Action Reference Count: 1 

add ssl policy snipolicy -rule client.ssl.client_hello.sni.contains("abc") -action pick_ca_group bind ssl vserver v_SSL -policyName snipolicy -type CLIENTHELLO_REQ -priority 10 

sh ssl policy snipolicy Name: snipolicy Rule: client.ssl.client_hello.sni.contains("abc") Action: pick_ca_group UndefAction: Use Global Hits: 0 Undef Hits: 0 Policy is bound to following entities 1) Bound to: CLIENTHELLO_REQ VSERVER v_SSL Priority: 10 

set ssl vserver v_SSL -clientauth ENABLED -SNIEnable ENABLED bind ssl vserver v_SSL -certkeyName snicert -sniCert 

sh ssl vserver v_SSL Advanced SSL configuration for VServer v_SSL: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: ENABLED Client Cert Required: Mandatory SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: ENABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: snicert Server Certificate for SNI Data policy 1) Policy Name: snipolicy Priority: 10 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit 

Configuration using the GUI

Create CA certificates group and bind certificates to the group:

1. Navigate toTraffic Management > SSL > CA Certificates Group.
2. ClickAddand specify a name for the group.
3. ClickCreate.
4. Select theCA certificate groupand then clickShow Bindings.
5. ClickBind.
6. In theCA Certificate Bindingpage, select an existing certificate or click Add to add a new certificate.
7. ClickSelectand then clickBind.
8. To bind another certificate, repeat steps 5 through 7.
9. ClickClose.

Navigate toTraffic Management > SSL > Policies.

Create SSL action:

1. InSSL Actions, clickAdd.
2. InCreate SSL Action, specify a name for the action.
3. InForward Action Virtual Server, select an existing virtual server or add a virtual server to forward the traffic to.
4. Optionally, set other parameters.
5. ClickCreate.

Create SSL policy:

1. InSSL Policies, clickAdd.
2. InCreate SSL Policy, specify a name for the policy.
3. InAction, select the action created earlier.
4. InExpression Editor, enter the rule to evaluate.
5. ClickCreate.

Create or add a virtual server and bind policy:

1. Navigate toTraffic Management>Load Balancing>Virtual Servers.
2. Add or select a virtual server.
3. InAdvanced Settings, clickSSL Policies.
4. Click in the SSL Policy section.
5. InSelect Policy, select the policy that you created earlier.
6. InPolicy Binding, specify a priority for the policy.
7. InType, selectCLIENTHELLO_REQ.
8. ClickBind.
9. ClickDone.

Unbind a CA certificate group by using the GUI

1. Navigate toTraffic Management > SSL > CA Certificates Group.
2. Select a certificate group and clickShow Bindings.
3. Select the certificate to remove from the group and clickUnbind.
4. If prompted for confirmation, click **Yes••.
5. ClickClose.

Remove a CA certificate group by using the GUI

1. Navigate toTraffic Management > SSL > CA Certificates Group.
2. Select a certificate group and click删除.
3. If prompted for confirmation, clickYes.